I am planning to buy a commercial vulnerability scanner. Given the fact that my budget is limited I am oscilating between NTOSpider and Acunetix.

According to some studies (2009), Accunetix is better, but I like the fact that NTOSpider integrates with Core Impact. We don't have Core Impact yet, but I will try to sell the idea of having a commercial pentesting tool (Core or Canvas).

So what do you recommend between the 2 of them?

I know that Webinspect is probably better, but is almost 30k, I have Burp Pro,... I need a good scanner, that will produce nice and useful reports.

Have you looked at NeXpose from Rapid 7 or Nessus (Tenable)? The pro versions of those are pretty solid. NeXpose has metasploit integration so you can "test" some of the findings out. I think they are also slightly cheaper than the other products. Though Core seems to be the one to go with for its reporting alone.

Also what are you looking to accomplish? Do you want to just find vulns or find and test? Find, test, patch? GFI LANGuard is useful for finding and patching. NeXpose finds and provides you with the fixes, including links to patches if available. It also provides the metasploit module to test the vuln. Nessus, will find and test the vuln and produce decent report data. It will also provide the information to fix the vuln.

Actually, I will have the money to buy a web application vulnerability scanner because we might get rid of Nexpose. It simply does not add any value to us. It is more expensive than Nessus (for ex a Nessus license, unlimited IPs costs 1200$, and Nexpose 1000 Ips costs around 10.000$).

Also, I did some scans and I didn't see big differences between the results. I even saw more false positives and more false negatives in Nexpose, but I don't want to go in there yet.

It is true that Nexpose integrates with Metasploit, but the pro version of Metasploit is 15.000$. I rather buy CANVAS or Core Impact if I really want a penetration testing framework. I know how to use Metasploit framework, Burp..., but the other guy who is working with me has no idea about this. So, we have to buy tools he is able to use

I know that it is stupid, but the good side is that I can justify an excellent tool, saying that it is easy to use. I don't know if they will accept my request, but I can try.

Also, if (when) I'll leave, they must be able to produce the scans. That's the advantage of the commercial tools. The disadvantage is that some analysts have no idea of what they are doing; they produce hundreds of pages of reports without any value for the overall security.

I hear ya there, the tools make the job easy for us to gather the data, but the hard part is clensing it for management. Good point about the MSF Pro and NexPose costs, completely forgot about that.

As for Web App, how about Cenzic Hailstorm? I haven't used it personally but we were looking at it at my last job. Right now I am messing with w3af (another Rapid 7 creation so I am sure the pro version will cost alot).

The main reason I prefer Nessus is that it produces better results. Also, when you are analysing the results, you have an option to see only the vulnerabilities for which "Exploit exists". This is extremely useful. In Nexpose you can see the ones where you have exploits in Metasploit and in exploit-db (very useful and not present in Nessus). Also, in Nessus you have the mention that a Metasploit, CANVAS or Core Impact exploit exists. For the rest you have to search the net.

Among the false positives in Nexpose, the most annoying ones where the ones detected when I executed a scan using admin credentials. As an example, for one server it reported a browser exploit. In Metasploit the exploit applies to IE 6, but our machine had IE 8. Another one was valid for Win 2003 SP0, and our machine wasn't for sure SP0.

Last year I did a comparison between the two vuln scanners using regular network scans (without credentials). After the scan I tried to identify as many as possible false positives. The results from Nessus were much more accurate, and Nexpose missed a lot of vulnerabilities.

Another disadvantage of Nexpose is that if you enter for scan a class C, it will consume 255 ips (from a total of 1000 in my case). Because we are using many subnets I would have to do a scan with Nmap first, and then import the results in Nexpose. I think that sometimes, when you do this, it will erase old entries.

The advantages with Nexpose are the facts that you have a nice management of the zones and extra scan engines, and that it produces more detailed reports, that gives detailed remediation steps. For a big company the management of zones and scanners is a plus, because the Tenable Security Center (necessary to integrate the results from multiple Nessus scanners) costs 80.000$. So, if you have many zones, with many scanners and you want all of the results in one place Nessus vulnerability scanner is not the solution to go. You either buy Tenable Security Center, either go for another solution (Nexpose being one of them).In our case, we have a scanner internally, one in the DMZ and another one on a machine connected directly to the internet. With Nexpose, the first two could be combined, and have all the results in the same place.

I didn't try yet the integration of Nexpose in Arcsight, but I might try before our license expires.

And, yes, the price is important for me. Scanning 2500 real IPs (and I give him ranges that will cumulate almost 10 000 IPs) with Nessus costs us 1200$/year. With Nexpose will cost way more.

Worst, we have Nexpose through Symantec, which resells it as CCS. When you have a problem, and you need support, you have to deal first with Symantec, and when they are not able to fix the problem, they will escalate it to Rapid7 (which gave me the solution very rapidly).

Maybe I am biased, but this is my opinion. If you want, I can provide some tables with the results of two scans. My analysis is not 100% accurate, but there is a big difference between the two scanners.

i am personally against web vulnerability scanners they are noisy, blocked/detected by most WAFs/IDS/IPSes and often generate false positives or miss things for a vulnerability assessment they are ok but for a pen test they are stupid and sometimes a game ender i personally do all my assessments by hand with firefox, tamper data and firebug, my logic behind that is i get a better idea how the application works and an attacker is going to use a setup that maximizes his or her anonymity and also its easier to look like a legitimate user if i am using a web browser then if i am sending huge numbers of packets with a automated tool and hoping the WAF only checks user agents. if i where doing a whitebox/vulnerability assessment type thing i use nikto/W3af community tools generally have more frequent updates in my experience. but for a pen test i suggest you all do your tests by hand, they are paying you not the tool :-p

I'm a little late getting around to this but I'll throw in my thoughts as well.

Nessus is pretty good for vulnerability scanning, but has been a little lacking in the web application scanning from my point of view. It does find certain things, but it also misses a lot(depending on the application, of course). It also isn't as customizable as many other web scanners.

I evaluated a lot of different scanners recently, both open source and commercial, and most of them are pretty close in terms of the findings. In fact, open source tools that you can find in Backtrack found many of the same vulnerabilities that $30k commercial scanners found. Even though the results are roughly the same, you still get a lot more from most commercial scanners in terms of usability, support, and reporting. It's up to you on whether or not that justifies the cost. Also, you can try to talk the price down with the vendor. I got a $36,000 quote down to $20,000. Still a ton of money, but if you can swing it...Either way you'd have to do a good amount of manual testing to find all of the things that the scanner missed!

We got a commercial scanner because of the support and reporting. However, I still use that as a baseline and starting point for my manual tests, where I do most of my work. Hope that helps.